Method and system for conditional access to a digital content, associated terminal and subscriber device

ABSTRACT

A secure method for transmitting a control word between a server and a plurality of processing entities so as to respectively produce and utilize the control word. Preferably such a method is applied to the field of conditional access methods and systems for preventing the fraudulent use of compromised decryption keys resulting from a coalition of pirate hackers.

The invention relates to a secure system and method for transmitting, between a server and a plurality of entities, a ciphertext whose decryption is operated by such entities. The invention is a preferred, application in the field of systems and methods for conditional access to digital content to prevent fraudulent use of one or more decryption keys. The invention is particularly effective and manageable for operators to prevent piracy in the case where several unscrupulous users form a coalition to generate decryption data from which it is difficult to distinguish which decryption key(s) were used to produce said decryption data. The invention thus provides effective protection against the fraudulent supply of protected multimedia content while preserving the computing capabilities necessary for its implementation and the bandwidth of the protected content distribution networks.

The invention further relates to a method for triggering the temporary or permanent revocation of the electronic equipment made available to a subscriber or the possible restoration of the latter. The invention thus relates to the adaptations of said material—such as terminals optionally coupled to secure electronic devices—and to protected content distribution servers to allow the implementation of a method for robust and efficient conditional access.

A broadcast operator of digital content generally operates a Conditional Access System (CAS) to make a protected content available to a subscriber or a plurality of subscribers. Such a system generally relies on secure electronic devices, such as smart cards, to host the identities and/or the rights of subscribers and to perform operations of encryption, decryption, or number generating.

In the known conditional access systems, in order to distribute protected multimedia, content, encrypted control words c and encoded contents C are transmitted through a broadcast network, at regular intervals or crypto-periods, at least, known and controlled by the broadcast operator. An encrypted control word is generally obtained by means of an encryption function E such that c=E(k), k being the value or said control word. An encoded content C is itself obtained by a coding function enc and said control word k, such that C=enc(k,M), M being the multimedia content. By way of example, the encoding function may conform to the DVB-CSA (Digital Video Broadcasting-Common Scrambling Algorithm) norm. To be allowed to view or listen to protected content, a person must purchase a subscription, A subscriber receives a secure and dedicated device, usually in the form of a smart card, which, coupled with a terminal commonly called decoder or “set-top box”, represents a subscriber processing entity that allows said subscriber to decode a protected, content. The encrypted control words c are typically decrypted by the secure device which supplies the control words k to the terminal. The latter is responsible for carrying out the decoding of encoded content C and allows, through a Man-Machine interface adapted—for example, a living room television—accessing the content M.

Although the robustness of subscriber devices is particularly well known, knowledge of cryptographic hardware, algorithms or secrets have allowed hackers to “break” the security of secure electronic devices provided to subscribers. A hacker can then “clone” or emulate such a device and make some “reproductions” available to unscrupulous subscribers without the need to operate a pirate network to supply control words or contents.

To counter the hackers, operators usually come to know the existence of such a pirate network or the marketing of data decryption reproductions. By soliciting the services of a hacker, an operator can even obtain a “cloned” or emulated device and study it.

An operator, or more generally any “tracing” entity seeking to unmask subscriber secure devices whose safety has been compromised, encounters real difficulty in tracing the source of piracy. This is particularly true when the fraudulent decryption data which he has are the result of a collusion of several distinct decryption keys. Indeed, according to known techniques, decryption keys are little or not traceable or detectable by analyzing such decryption data. The investigation is all the more delicate when the collusion is extended. To try and circumvent this problem, some operators or tracers have significantly increased the size of the decryption keys of the control words as well as the ciphertexts of the latter. In known solutions, said sizes are directly related and increase linearly with respect to the total number of subscribers or to a bound on that number. Some known, techniques, such as the ones described for example in document US2008/0075287A1, manage at most to reduce these sizes in the order of the square root of the number of subscribers. Other techniques, such as the ones disclosed in document WO2007/138204, require a size of ciphertexts of the same order as the size of an eligible collusion. The ability of a tracer to detect a fraudulent decryption key has improved at the expense of the bandwidth of the broadcast networks and of the computing capacity of secure subscriber devices to produce, by crypto-period, control words whose ciphertext size is substantial. In addition, such solutions remain very penalizing and almost inoperable when the number of subscribers is large.

There are therefore no known methods allowing tracing and identifying one or more lawfully distributed decryption keys using decryption data resulting from collusions while preserving a realistic bandwidth and computing capacity to operate a protected content distribution service.

Among the many advantages provided by the invention, we can mention that the invention helps fight against the distribution of information to illegitimate users allowing a fraudulent decryption of protected, content broadcast to users, who, for example, contracted a paid subscription. Indeed, the invention allows effectively tracing and distinguishing a secret and dedicated decryption key used to develop such information. According to various embodiments, the invention allows dissociating the size of secret decryption keys of control words or their ciphertexts, the number of subscribers and/or eligible collusions. It provides operators with a highly effective and potentially dynamic compromise for dimensioning said sizes to preserve the bandwidth of the distribution network and the computing capacity of subscriber processing entities while tolerating a large number of possible collusions. The invention also allows remotely revoking a subscriber processing entity whose security may nave been broken, known as “treacherous entity,” while continuing to broadcast content through the broadcast network. The invention thus provides any content broadcasting operator a particularly simple and effective tool in the fight against piracy.

To this end, a secure method for transmitting a control word between a server and a plurality of processing entities is particularly planned to respectively generate and operate said control word.

Such a method comprises a first step for generating by the server an encrypted control word c whose plaintext k is intended to be used by the processing entity. It also includes a step for transmitting the encrypted control word c generated for the processing entities, as well as a step for receiving the encrypted control word c by those entities and producing a control word k from the encrypted control word c received.

To provide an “efficiency vs. resistance” compromise to treacherous key collusions, the invention provides that:

-   -   the server generates the encrypted, control word from:         -   a vector s of d_(s) elements each belonging to the set             _(p)* of non-zero integers modulo p, p being a prime number,             d_(s) being an integer strictly greater than 1 and small             compared to the number of processing entities;         -   a secret value γ known by the server and belonging to the             set             _(p)* of non-zero integers modulo p;         -   two generators belonging respectively to two cyclic groups             ₁ and             ₂ of order p, parameters of a bilinear group β=(p,             ₁,             ₂,             _(T), e(•,•)) of order p where e(•,•) is a coupling such             that e:             ₁×             ₂→             _(T),             _(T) being a third cyclic group of order p;     -   each processing entity generates a control word k from:         -   the encrypted control word c;         -   a decryption key DK_(i) known to the i^(th) entity and             previously generated from:             -   i. a vector x^((i)) of d_(x) elements each belonging to                 the set                 _(p)* of non-zero integers modulo p, d_(x) being an                 integer strictly greater than 1 and small compared to                 the number of processing entities, the vector x^((i))                 being dedicated to the entity concerned;             -   ii. the secret value γ;             -   iii. a generator belonging to one of the cyclic groups                 of the bilinear group β.

According to a preferred embodiment, such a method may comprise beforehand:

-   -   a step for developing a master secret key MK comprising the         secret component γ associated with public parameters among which         the bilinear group β;     -   a step for storing said key MK and public parameters within the         server;     -   a step for storing said public parameters within each processing         entity;     -   a step for generating, transmitting and storing the decryption         keys DK_(i), respectively dedicated and distinct, within the         processing entities.

The invention provides that each decryption key DK_(i) generated can advantageously comprise a component of form

$z^{\frac{1}{P{(\gamma)}}},$

z being a generator belonging to one of the cyclic groups of the linear group β and P being a polynomial in γ.

According to a preferred embodiment, the invention also relates to a method for conditional access to digital content including:

-   -   a step for encoding a digital content M and generating an         encoded content C using an encoding function implemented by a         broadcast server of protected digital contents;     -   a step for generating by said, broadcast server of protected         digital contents an encrypted control word c whose plaintext k         is intended for use by a plurality of subscriber processing         entities for decoding said, encoded content C;     -   a step for transmitting through a distribution network and to         the subscriber processing entities, said encrypted content C and         encrypted control word c;     -   a step for receiving by each subscriber processing entity said         encrypted content C and encrypted control word c;     -   a step for generating the plaintext of a control word k by each         subscriber processing entity from the ciphertext c;     -   a step for decoding by each subscriber processing entity the         encoded content C and generating a content M from a decoding         function and k;     -   a step for retrieving said content M by means of an interface         suited to said content.

The steps for generating and transmitting an encrypted control word by the broadcast server of protected digital contents, as well as the steps for receiving and generating the plaintext of a control word by the subscriber processing entities, comply with the secure method for transmitting a control word between a server and a plurality of processing entities in accordance with the invention.

The invention further relates to a system for conditional access to digital content comprising a server connected to a plurality of subscriber processing entities to implement a conditional access method, according to the invention.

Other features and advantages will become more apparent upon reading the following description and examining the accompanying figures, among which:

FIG. 1 shows a conditional access system according to the prior art;

FIG. 2 describes a conditional access system according to the invention;

FIG. 3 depicts an embodiment of a conditional access method according to the invention.

FIG. 1 shows a conditional access system to digital content according to the prior art. It consists of a broadcast network 4 implemented by a protected content broadcast operator. Thus, control words c and contents C, respectively encrypted, and encoded, are issued jointly from a content server 3. For that purpose, server 3 encodes a content M using an encoding function enc and a control word k, the latter being generated by said server 3. The result is an encoded content C such that C=enc(k,M). An encrypted version c of control word k is also issued or “broadcast” together with the encoded content C. For that purpose, the server encrypts said control word k using an encryption function E to obtain c such that c=E(k).

The encrypted control words c and encrypted, contents C are transmitted via the broadcast network 4 to terminals 2 a to 2 m. These are responsible respectively for decoding in real time the encoded, contents C issued by server 3. Thus a terminal—such as, for example, the decoder 2 a—implements a decoding function dec and applies it to the encoded content C to obtain the content M. The latter can be viewed using a living room television 5 or any other interface suited, to retrieve the content. To apply the decoding function dec, a terminal must know the value of control word k that was used by server 3 to encode content M. According to the prior art, and as shown in FIG. 1, a terminal 2 a to 2 m receives an encrypted, control word c such that c=E(k) and sends it to a secure electronic device 1 a to 1 m, usually dedicated to a subscriber. Terminal 2 a regularly receives, through network 4, couples (C,c) and transmits encrypted control words c to a device 1 a. Device 1 a can decrypt an encrypted control word c using a decryption function D to obtain the control word k used to encode content M. Thus k=D(c). The same applies to any other device, such as 2 b to 2 m, each respectively cooperating with a device 1 b to 1 m. According to a variant embodiment, server 3 can use a secret, for example in the form of a key Kc to encrypt a control word k. Thus c=E(Kc,k). In this case, a device, such as device 1 a to 1 m, implements a reciprocal decryption function D, such that k=D(Kd,c) where Kd is a decryption key known by the device. According to the encryption function E and decryption function D, keys Kc and Kd can be identical. This is the case for a symmetrical encrypt ion/decryption. Alternatively, according to a pattern called “broadcast encryption” Kc is a public or secret key dedicated to the operator and Kd is a secret key dedicated to the device (or, alternatively, to a group of devices) and known to the operator. According to this variant, there are therefore several individual decryption keys and each of the devices lawfully issued and delivered to the subscribers of said operator has such a personal decryption key.

To jeopardize such a conditional access system, hackers have developed their knowledge of cryptographic hardware, algorithms or secrets implemented in particular by the subscriber devices. Some know—or could—“break” the security of such subscriber electronic devices and be able to read the value of one or more decryption keys used to generate valid control words to ultimately decode encrypted messages. All it takes then, is to fraudulently put these keys—which we call “treacherous keys” —on a parallel market for unscrupulous users to integrate a treacherous key in a hacked terminal and thus benefit from unauthorized access to protected content. This type of criminal act can be greatly facilitated when a broadcast operator operates a conditional access system for which the content decoding function and decrypt ion function of encrypted control words are performed by a single and same processing entity made available to a subscriber. Thus, such an entity does not necessarily include security features to protect the means for storing the decryption keys and/or algorithms and methods used to generate the control words. Leaks resulting from, the insufficiently secure implementation of such algorithms allow revealing the decryption key manipulated, etc.

A hacker can thus provide certain “reproductions” of decryption keys to unscrupulous customers without necessarily operating a pirate network to distribute the control words or contents.

To try to counter such activities, it is useful to be able to trace or detect the “treacherous” or compromised decryption key which is the source of the reproduction. Such a key must therefore be traceable, that is to say, have a marker or a component that is dedicated to a subscriber. Thus, when in possession of a hacked terminal or the software implemented by the hacker, it is possible for a tracer to use certain methods of analysis to detect the secret data that was manipulated. The tracer's task becomes complicated when several treacherous keys are combined by a hacker or by a coalition of hackers.

The invention makes it possible to defeat these different hacking scenarios.

FIG. 2 helps to illustrate a conditional access system as an example of preferred embodiment of the invention. As with a known system, the invention provides a broadcast network 4 implemented by a protected content broadcast operator—or, more generally, any means—to transmit, from a content server 3, encoded contents C destined for a plurality of subscriber processing entities such as Ea, Eb, . . . Em entities. The invention further provides that the encoded contents C are emitted in conjunction with encrypted control words c whose plaintexts allow decoding said encoded contents by each subscriber entity. To do this, server 3 encodes a content M using an encoding function enc. The result is an encoded content C such that C=enc(M).

The security of such a system essentially lies in the fact that the control words can be generated, exchanged, and used securely by the server and the plurality of subscriber processing entities. Such control words could just as well be used in a different application context of a conditional access system to protected digital content.

The invention is based on the mathematical concept of coupling in first-order groups, a concept exploited in many publications including documents US2008/0075287A1 or WO2007/138204 mentioned above. Such coupling is a bilinear application typically used in cryptography, particularly in the field of elliptic curves.

Let β be a bilinear group β=(p,

₁,

₂,

_(T),e(•,•)) of first order p such that |p|=λ, λ defining the size of elements as a security parameter.

₁,

₂ and

_(T) are three cyclic groups of order p and e:

₁×

₂→

_(T) is a coupling. A cyclic group is an algebraic set such that g^(p+1) is equal to g, p defining the order of the cyclic group and g being an element of the group that is called “generator”. Within the meaning of the invention, a special relationship between groups

₁ and

₂ is not required. The two groups may be the same or, more generally, an isomorphism Ψ between

₁ and

₂ can be defined. The invention provides that any possible, effectively computable, isomorphism and coupling be preferred.

According to a preferred embodiment, a processing entity Ei consists of a terminal 2 i coupled to a secure device 1 i, e.g. a smart, card, to respectively perform the decoding of an encoded content and the generating of control words required for said decoding. FIG. 2 shows the entities Ea, Eb and Em as resulting respectively from terminal 2 a, 2 b, 2 m coupled to a secure subscriber device 1 a, 1 b, 1 m.

Within the meaning of the invention, such an entity could be one and the same device that would encompass the two main functions previously described.

A secret and dedicated decryption key is known to each subscriber device (or subscriber entity). Thus, according to FIG. 2, device 1 a of entity Ea associated with subscriber a, knows the decryption key DK_(a). This key is distinct from key DK_(b), itself distinct from key DK_(m). These keys are only known respectively to entities Eb and Em (or, more precisely, to respective secure subscriber devices 1 b and 1 m). Although dedicated, and distinct, the decryption keys according to the invention are traceable (that is to say, identifiable in an action of discrimination or tracing, as discussed below). They are all generated from a master secret key MK known to server 3, said key being possibly associated with public parameters P—including bilinear group β—parameters known to said server, but also to the different processing entities, specifically, according to the preferred example described in connection with FIG. 2, known to devices 1 a to 1 m.

Decryption keys allow processing entities Ea to Em to generate a control word k which allows decoding the encoded contents. This control word k is generated from an encrypted control word c issued jointly with the encoded content C by server 3. According to the preferred example described in connection with FIG. 2, the secure devices 1 a to 1 m are responsible for generating the control word k within each processing entity Ea to Em. For this purpose, terminals 2 a to 2 m are able to receive the encrypted control words c and are also able to transmit said encrypted words c to the respective secure device. The control words generated by devices 1 a to Am are transmitted, back to the respective terminals so that they can decode the encoded contents C and thereby in turn produce a content M returned by a man-machine interface adapted 5 to a subscriber.

FIG. 3 is used to describe an example of application of the invention in the form of a conditional access method to protected content implemented by a system such as that described in connection with FIG. 2. By way of simplification, the plurality of processing entities is represented by entity Ei as terminal 21 associated with a secure subscriber device 1 i. Encoded contents C are transmitted from, server 3 to entity Ei via a network 4. Any other broadcasting means could, be used for this purpose. The encoded contents are associated with encrypted control words c whose plaintexts allow decoding the encoded contents. Terminal 2 i is able to receive the encoded contents and the encrypted control words. The latter are transmitted by the terminal to the subscriber device which, using the secret decryption key DK_(i) and the public parameters PP, generates the control words and transmits them back to the terminal 21. This terminal can decode the encoded contents C using the control word k and deliver the contents M to the interface 5. In order to achieve this, a conditional access method according to the invention consists of the main steps 310, 110 and 210, corresponding respectively to:

-   -   310: producing and issuing encoded content C associated with         encrypted control words c to processing entities;     -   110: producing control words k from the encrypted control words         c and the decryption key DK_(i);     -   210: decoding the encoded contents from the control words k.

Optionally, these steps may be preceded by steps 300 and 100 which consist in generating public parameters PP and saving them in the processing entities Ei, specifically the secure devices. FIG. 3 also describes the preliminary steps 301 and 101 of generating the decryption keys DK_(i) and storing them in processing entities Ei, specifically in devices 1 i.

Beyond the preferred example applied to the conditional access method, and system, the invention relates primarily to a secure method for transmitting a control word between a server and a plurality of processing entities to respectively produce and exploit said control word.

Let us examine through two embodiments how to implement such a method—applied to the application example described in connection with FIG. 3.

Let β be a bilinear group β=(p,

₁,

₂,

_(T),e(•,•)) of first order p such that |p|=λ, λ defining the size of elements as a security parameter.

₁,

₂ and

_(T) are three cyclic groups of order p and e:

₁×

₂→

_(T) is a coupling.

A method according to the invention comprises:

-   -   a step 310 for generating by a server an encrypted control word         c whose plaintext k is intended to be used 210 by the processing         entity;     -   a step for transmitting the encrypted control word c generated         to the processing entities;     -   a step for receiving the encrypted control word c by said         entities;     -   a step for generating 110 a control word k by each processing         entity from the encrypted control word c received.

To maintain the traceability of the decryption keys DK_(i) while allowing high efficiency (in terms of bandwidth and processing power), step 310 for generating the encrypted version of a control word is performed by server 3 from:

-   -   a vector s of d_(s) elements each belonging to the set         _(p)* of non-zero integers modulo p, p being a prime number,         d_(s) being an integer strictly greater than 1 and small in         terms of the number of processing entities;     -   a secret value γ known to server 3 and belonging to the set         _(p)* of non-zero integers modulo p;     -   two generators belonging respectively to cyclic groups         ₁ and         ₂, parameters of bilinear group β=(p,         ₁,         ₂,         _(T),e(•,•)).

Each processing entity Ei generates 110 a control word k from:

-   -   the encrypted control word c;     -   a decryption key DK_(i) known to the entity Ei and previously         generated from:         -   a vector x^((i)) of d_(x) elements each belonging to the set             _(p)* of non-zero integers modulo p, d_(x) being an integer             strictly greater than 1 and small in terms of the number of             processing entities, the vector x^((i)) being dedicated to             the concerned entity;         -   the secret value γ;         -   a generator belonging to one of the cyclic groups of the             bilinear group β.

The invention provides that the integer values of d_(x) and of d_(s) be small in terms of a number of entities and therefore ultimately in terms of the number of subscribers or hackers.

These two integers are security parameters used to determine and adjust the compromise “efficiency vs. resistance” depending on the dishonest collusions. The parameter d_(x) is used to scale the size of a decryption key according to the invention. The parameter d_(s) is used directly to scale the size of encrypted control words.

Therefore, d_(s) has a direct impact on the bandwidth of the broadcast network of encrypted control words. d_(x) (just as d_(s)) has itself a direct impact on the processing capabilities of the entity (or the secure device) that must store and handle the decryption keys to produce the plaintexts of the control words from their ciphertexts.

Unlike known solutions for which the sizes of keys and encrypted versions grow linearly with the size of the collusions or with the square root of the number of subscribers or groups of subscribers, the invention allows maintaining particularly advantageous sizes and without comparison with known solutions. So, if we consider that there is a risk t of coalitions, then a process according to the invention will help define d_(x) and d_(s) such that

$t = {C_{d_{x} + d_{s} - 1}^{d_{x}} = {\frac{\left( {d_{x} + d_{s} - 1} \right)!}{{d_{x}!}{\left( {d_{s} - 1} \right)!}}.}}$

By way of examples, the invention allows obtaining (depending on the embodiment) the following compromises:

-   -   for t=120: d_(x)=3 et d_(s)=7;     -   for t=126: d_(x)=4 et d_(s)=5;     -   for t=105: d_(x)=2 et d_(s)=13.

These results allow emphasizing the particularly significant contribution of the invention compared to of the prior art.

As shown in FIG. 3, a method, for securely transmitting a control word between a server and a plurality of processing entities, according to the invention, may comprise a step 300 to develop and store a master secret key MK comprising the secret component γ associated with public parameters, such as the bilinear group β. It may also include a step 100 to store said public parameters within each processing entity—more specifically and preferably—within, the secure subscriber device of said entity. Upon purchasing a subscription, for example, in order to be able to deliver material to a subscriber knowing the secret and dedicated decryption key DK_(i), such a method may also include a step to produce 301, transmit and record 101 the decryption key DK_(i) within the processing entity—more specifically and preferably—within the subscriber secure device of said entity.

We will successively describe two embodiments of such a method. These two embodiments have particularly in common that the decryption key DK_(i) generated has a component of the form

$z^{\frac{1}{P{(\gamma)}}},$

z being a generator belonging to one of the cyclic groups and the bilinear group β and P being a polynomial in γ.

According to a first embodiment, for a bilinear group β=(p,

₁,

₂,

_(T),e(•,•)) and the security parameters d_(x) and d_(s) selected, the master secret key MK consists of γ and g, such that MK=(γ,g). γ is a secret value belonging to the set

_(p)* of non-zero integers first modulo p. g is a generator of the group

₁. The value of g can advantageously be randomly selected. Similarly, a generator h of the group

₂ is possibly randomly selected. Advantageously, v=e(g,h) can be calculated and value v can be associated with the components γ and g of key MK.

To constitute the public parameters, g^(γ), g^(γ) ² , . . . ,

g^(γ^(d_(s) − 1)),

h^(γ), . . . ,

h^(γ^(d_(x) − 1))

are calculated. In addition to β and h, all these values represent the public parameters.

Ail these calculations or random selections can be performed by the server 3 or be performed and obtained from a separate and dedicated server for this purpose.

According to this first embodiment, the step to generate a decryption key consists in generating said key as a result of two components, such as DK_(i)=(x^((i)),A_(i)) where

$A_{i} = g^{\frac{1}{P{(\gamma)}}}$

with P(γ)=(γ+x₁ ^((i)))·(γ+x₂ ^((i))) . . . (γ+x_(d) _(x) ^((i))). Thus, upon the subscription of a new user or subscriber i, the unique and dedicated key DK_(i) is generated then transmitted and recorded—preferably securely—in the processing entity Ei which will exploit said key to generate the control words. More specifically, such a key is stored in a secure device 1 i component of the entity Ei.

To produce an encrypted control word, the server 3 generates said word as the result of two components such as

$c = \left( {s,h^{\frac{1}{Q{(\gamma)}}}} \right)$

with Q(γ)=(γ+s₁)·(γ+s₂) . . . (γ+s_(d) _(s) ), s being a vector of the elements d_(s) of

_(p)*. Vector s can be written as s=(s₁, s₂, . . . , s_(d) _(s) ).

Upon receiving an encrypted control word c, a processing entity Ei implements a step to produce the plaintext of the control word. This step aims to retrieve a control word k whose value should be

$k = {{e\left( {g,h} \right)}^{\frac{1}{\gamma + s}}.}$

This step consists in generating k such that

$k = {{e\left( {g^{\alpha},h^{\frac{1}{Q{(\gamma)}}}} \right)} \cdot {e\left( {A_{i},h^{\xi}} \right)} \cdot {{e\left( {A_{i},h^{\frac{1}{Q{(\gamma)}}}} \right)}^{\theta}.}}$

The computing elements α, ξ and θ are such that:

${\alpha = {1 - {\theta \left( {{\frac{1}{P}\lbrack Q\rbrack}(\gamma)} \right)}}},{\xi = {{- {\theta \left( {{\frac{1}{Q}\lbrack P\rbrack}(\gamma)} \right)}}\mspace{14mu} {and}}}$ ${\theta = \frac{1}{{\langle{\frac{1}{P}\lbrack Q\rbrack}\rangle}^{0}}},{\frac{1}{P}\lbrack Q\rbrack}$

being the notation to designate the opposite of the polynomial P modulo, the polynomial Q and

${\langle{\frac{1}{P}\lbrack Q\rbrack}\rangle}^{0}$

designating the term of 0 degree of the polynomial

${\frac{1}{P}\lbrack Q\rbrack}.$

We can see that θ is a constant computable from the coefficients of P and Q, and that the values ξ and α (which are polynomials in γ) are not required in the calculation to produce the plaintext of the control word. Indeed, combinations of successive powers of g^(γ) and h^(γ) contained in the public parameters) are used to reconstruct the desired polynomials in exponents of g and h and thereby to obtain g^(α) and h^(ξ) which allows generating the plaintext of the control word.

The elements α, ξ and θ can also be described as follows:

${\alpha = {1 - \frac{\sum\limits_{l = 1}^{d_{s}}\; \frac{Q_{l}(\gamma)}{R_{l}\left( {- s_{l}} \right)}}{\sum\limits_{l = 1}^{d_{s}}\; \frac{\prod\limits_{j \neq l}^{d_{s}}\; s_{j}}{R_{l}\left( {- s_{l}} \right)}}}},{\xi = {{- \frac{\sum\limits_{l = 1}^{d_{x}}\; \frac{P_{l}(\gamma)}{R_{l + {ds}}\left( {- s_{l}} \right)}}{\sum\limits_{l = 1}^{d_{s}}\; \frac{\prod\limits_{j \neq l}^{d_{s}}\; s_{j}}{R_{l}\left( {- s_{l}} \right)}}}\mspace{14mu} {and}}}$ $\theta = \frac{1}{\sum\limits_{l = 1}^{d_{s}}\; \frac{\prod\limits_{j \neq l}^{d_{s}}\; s_{j}}{R_{l}\left( {- s_{l}} \right)}}$

with:

${{Q_{l}(\gamma)} = {\prod\limits_{\underset{j \neq l}{j = 1}}^{d_{s}}\; \left( {s_{j} + \gamma} \right)}},{{P_{l}(\gamma)} = {\prod\limits_{\underset{q \neq l}{q = 1}}^{d_{x}}\; \left( {x_{q}^{(i)} + \gamma} \right)}},{{R_{l}(\gamma)} = {\prod\limits_{\underset{j \neq l}{j = 1}}^{d_{s} + d_{x}}\; \left( {s_{j} + \gamma} \right)}}$ and  s_(d_(s) + m) = x_(m)^((i))

for m=1, . . . , d_(x).

In this first, embodiment, the size of the decryption key DK_(i) is linear in d_(x). As for the size of the ciphertext, it is linear in d_(s).

In a variant of this first embodiment, it is possible to reduce the size of the ciphertexts c and the secret decryption keys DK_(i). Indeed, first of all, the vector x^((i))=(x₁ ^((i)), . . . , x_(d) _(x) ^((i))) may be generated during the production of a key DK_(i) by server 3 from a seed μ_(i). This seed is then a component of the secret key such that DK_(i)=(μ_(i),A_(i)). Reciprocally, the vector x^((i)) can be recovered by the processing entity using said seed during decryption of the control word. Furthermore, the vector s=(s₁, . . . , s_(d) _(s) ) may be generated during the production of a ciphertext c by server 3, from a seed η. This seed is then a component of the ciphertext such that

$c = {\left( {\eta,h^{\frac{1}{Q{(\gamma)}}}} \right).}$

Reciprocally, the vector s can be recovered by the processing entity using said seed η during the decryption of the control word.

In this variant, the sizes of the decryption key DK_(i) and of the ciphertext become constant.

In a second embodiment, for a bilinear group β=(p,

₁,

₂,

_(T),e(•,•)) and the security parameters d_(x) and d_(s) selected, the master secret key MK consists of γ and g, such that MK=(γ,g). γ is a secret value belonging to the set

_(p)* of non-zero integers first modulo p. g is a generator of the group

₁. The value of g can advantageously be randomly selected. Similarly, we choose, possibly randomly, a generator h of the group

₂. Advantageously, we can calculate v=e(g,h) and associate value v with components γ and g of key MK.

Public parameters are β.

All these calculations or random selections can be performed by server 3, or be performed and obtained from a separate server dedicated to this purpose.

According to this second embodiment, the step for generating a decryption key consists in generating said key as a result of two components such that DK_(i)=(A_(i),B^((i))) where

$A_{i} = g^{\sum\limits_{j = 1}^{d_{x}}\frac{x_{j}^{(i)}}{\gamma + x_{j}^{(i)}}}$

and vector B^((i)) of elements d_(x) such that:

${B^{(i)} = \left( {B_{1}^{(i)},x_{1}^{(i)}} \right)},\left( {B_{2}^{(i)},x_{2}^{(i)}} \right),\ldots \mspace{14mu},{\left( {B_{d_{x}}^{(i)},x_{d_{x}}^{(i)}} \right) = \left( {h^{\frac{1}{\gamma + x_{1}^{(i)}}},x_{1}^{(i)}} \right)},\left( {h^{\frac{1}{\gamma + x_{2}^{(i)}}},x_{2}^{(i)}} \right),\ldots \mspace{14mu},\left( {h^{\frac{1}{\gamma + x_{d_{x}}^{(i)}}},x_{d_{x}}^{(i)}} \right)$

Thus, upon the subscription of a new user or subscriber i, the unique and dedicated key DK_(i) is generated then transmitted and stored—preferably securely—in the processing entity Ei which will use said key to generate the control words. More specifically, such a key is stored in a secure device 1 i component of the entity Ei.

To generate an encrypted, control word, server 3 generates the encrypted control word as the result of four components such as c=(W₁,W₂,s,U) with U=(U₁, . . . , U_(d) _(s) ) vector of d_(s) values. The vector U is such that

${U_{1} = h^{\frac{1}{\gamma + s_{1}}}},{U_{2} = h^{\frac{1}{{({\gamma + s_{1}})} \cdot {({\gamma + s_{2}})}}}},\ldots \mspace{14mu},{U_{d_{s}} = {h^{\frac{1}{{({\gamma + s_{1}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + s_{d_{s}}})}}}.}}$

Components W₁=(g^(γ))^(m),

$W_{2} = {h^{\frac{m}{{({\gamma + s_{1}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + s_{d_{s}}})}}} = U_{d_{s}}^{m}}$

being an integer.

Upon, receiving an encrypted control word, c, a processing entity Ei implements a step to generate the plaintext of said control word. The purpose of this step is to retrieve a control word k whose value should be

${k = {e\left( {g,h} \right)}^{\frac{m \cdot d_{x}}{\prod\limits_{j = 1}^{d\; x}{({\gamma + s_{j}})}}}},$

m being the integer previously selected. This step consists in calculating k such that

$k = {{{{e\left( {g^{\gamma},{\prod\limits_{j = 1}^{d_{x}}\left( B_{j}^{(1)} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({\gamma + s_{l}})}}}}} \right)} \cdot {e\left( {A_{i},W_{2}} \right)}}\mspace{14mu} {where}\mspace{14mu} {\prod\limits_{j = 1}^{d_{x}}\left( B_{j}^{(i)} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({\gamma + s_{l}})}}}}} = {\prod\limits_{j = 1}^{d_{x}}\left( {B_{j}^{(i)} \cdot {\prod\limits_{y = 1}^{d_{s}}U_{y}^{{({- 1})}^{i + d_{s}} \cdot {\prod\limits_{n = 1}^{y - 1}\; {({x_{j}^{(i)} - s_{n}})}}}}} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({x_{j}^{(i)} - s_{l}})}}}}}$

According to this second embodiment, the size of the decryption key DK_(i) is linear in d_(x). The size of the ciphertext is itself linear in d_(s).

A particularly advantageous choice may be to determine d_(s) and d_(x) such that the number of collusions t is exponential in (d_(x)+d_(s)).

Whether in the first or second embodiment, it is particularly advantageous that the component A_(i) of key DK_(i) be stored by means of secure storage in each processing unit. This is particularly relevant when a processing unit comprises a secure device. It suffices, in this case—to ensure the robustness of the system—that said, component A_(i) be at least stored in it or, alternatively, the entire key DK_(i). Storing only the component A_(i) can reduce the safe storage capacity necessary for the robustness of the system.

As an example, and to illustrate the ability of a tracer to detect a decryption key, we are now presenting a method, for tracing. To describe this method, we will use a notation such as

U,V

to describe such a coupling (or pairing) equivalent to the notation e(U,V) previously used. Let us consider that the tracer was able to recover a pirate decoder. The analysis of the latter allows him to get the pirate software and to implement a white-box type tracing method.

In a first step, the pirate decoder is interpreted as a sequence of formal instructions. Each instruction consists of a reference operation, one or more input variables and one output variable. Conventionally, the operations known as reference operations are listed in a dictionary (the instruction set) and can be of various kinds: arithmetic or logic operations, conditional jumps or not, subprogram calls, etc.

In this phase of classical abstract interpretation, the decoder is therefore rewritten in the form of a sequence of instructions among which will stand out the operations associated with the bilinear system (p,

₁,

₂,

_(T)) implemented by the encryption method according to the invention:

-   -   operations of multiplication T=U·U′ in         ₁,     -   operations of multiplication S=V·V′ in         ₂,     -   operations of exponentiation U=T^(a) in         ₁,     -   operations of exponentiation V=S^(b) in         ₂,     -   operations of bilinear coupling α=         U,V         (called pairing) of         ₁×         ₂→         _(T),     -   operations of multiplication γ=α·β in         _(T),     -   operations of exponentiation β=α^(c) in         _(T).

These operations are called algebraic while all others will be classified as related operations. In this same phase of interpretation, the input and output variables of each, instruction are written in a Single Assignment) so that the computation graph of any variable manipulated, by him during his formal execution can easily be deducted from this representation of the pirate decoder. The input variables of the instructions can only be of the following four types:

1. a. constant variable belonging to the starting program,

2. an intermediate variable,

3. an input variable of the program representing a portion of the ciphertext, or

4. a random variable resulting from a call, to a random source external to the decoder program.

The output variable or the program, represents the data, k and comes from a computation graph of output value in

_(T).

In a second step known as specialization, the rewritten program is modified to make it suitable for the subsequent identification of traitors. By rewriting the program, all instructions that do not participate in the computation graph of the output variable k (instructions not related to the graph) can be removed from it. It is then necessary to try to set all the input variables of the program (those of types 3 and 4) at constant values that the program is able to decrypt correctly.

This search for constant values may be conducted randomly and exhaustively and, if the decoder originally given is functional enough (that is to say decrypts in a significant fraction of cases on average), this search step will quickly be completed after a few tries.

When the values are suitable, they are substituted for the corresponding variables in the program, so that said program will always run the same way. Thus, an example of successful implementation is instantiated by the new program composed only of instructions performed on constants.

The tracing process now includes a step to simplify the program by obtaining a single sequence of instructions without jump:

-   -   a propagation of constants is performed to remove all secondary         instructions whose input variables are all constants; this         transformation excludes therefore the algebraic operations.     -   instructions whose execution is tautological are eliminated:         -   conditional jumps are either eliminated or replaced by             unconditional jumps;         -   function calls are replaced by a copy of the body of the             called function;         -   unnecessary instructions or dead codes are eliminated.

At the end of this step, unconditional jumps are deleted by juxtaposing sequences of linear instructions end to end in chronological order of execution. The program then becomes a series of sequential algebraic instructions without control flow.

At this point, several transformations are applied in an inductive and concurrent manner to the program obtained. To this end, the following is introduced:

-   -   a formal instruction expo_(i)(u,a) that represents the         calculation of u^(a) in         _(i) with i∈{1,2,T};     -   a formal instruction of extended “pairing”         U,V;a         which represents the calculation of         U,V         .

The following algebraic simplifications are then executed, in an inductive and concurrent manner, until the program is stabilized:

-   -   each exponentiation instruction u^(a) is replaced by         expo_(i)(u,a) for the appropriate i∈{1,2,T};     -   each variable u is replaced by expo_(i)(u,1) for the appropriate         i∈{1,2,T};     -   each combination of instructions of the type expo_(i)(u·v,a) is         replaced by expo_(i)(u,a)·expo_(i)(v,a);     -   each combination of instructions of the type         expo_(i)(u,a)·expo_(i)(u,b) is replaced by expo_(i)(u,a+b mod         p);     -   each combination of instructions of the type         expo_(i)(expo_(i)(u,a),b) is replaced by expo_(i)(u,ab mod p);     -   each “pairing” instruction         U,V         is replaced by         U,V;1         ;     -   each combination of instructions of the type         U·U′,V;a         is replaced by         U,V;a         ·         U′,V;a         ;     -   each combination of instructions of type         U,V·V′;a         is replaced by         U,V;a         ·         U,V′;a         ;     -   each combination of instructions of type         expo₁(U,a),V;b         is replaced by         U,V;ab mod p         ;     -   each combination of instructions of type         U,expo₂(V,a);b         is replaced by         U,V;ab mod p         ;     -   each combination of instructions of type         U,V;a         ·         U,V;b         is replaced by         U,V;a+b mod p         ;     -   each combination of instructions of type expo_(T)(         U,V;a         ,b) is replaced by         U,V;ab mod p         ;     -   expo_(i)(u,0) is replaced by 1,         U,V;0         by 1 and 1·u by u.

At the end of this simplification step, the calculation of k∈

_(T) can therefore be represented as the result of a product k=k₁·k₂ where:

-   -   k₁ is a product of n extended “pairings” whose inputs         (U_(i),V_(i),a_(i)) for i=1, . . . , n consist of two points         U_(i) and V_(i) and an integer a_(i) modulo p such as         (U_(i),V_(i))≠(U_(j),V_(j)) for i≠j. The variables U_(i), V_(i)         and a_(i) are constant values due to the specialization step.         Each variable U_(i), V_(i) is necessarily either a constant         stored in the program, or an input variable which is part of the         ciphertext given at the beginning;     -   k₂ is a product of m elements of         _(T) i.e. k₂=expo_(T)(α₁,b₁) . . . expo_(T)(α_(m),b_(m)) where         α_(i)≠α_(j) for 1≦i≠j≦m. Each variable α_(i) is necessarily         either a constant stored in the program, or a portion of the         ciphertext.

In a third step, the coefficient corresponding to each algebraic element of ciphertext c given at the beginning is identified.

More specifically, if the ciphertext given at the beginning contains u₁, . . . , u_(r) ₁ ∈

₁, v₁, . . . , v_(r) ₂ ∈

₂ and w₁, . . . , w_(r) _(T) ∈

_(T),

-   -   for any v_(i,j)∈[1,r₂], all the values a_(i) such as v_(j)=V_(i)         are collected and U_(i)∉{u₁, . . . , u_(r) ₁ } is not an element         of the ciphertext; a vector

coef(v_(j)) = (a_(i₁), …  , a_(i_(d_(j))))

is thereby formed;

-   -   for any v_(i,j)∈[1,r₂], the values a_(i), such as v_(j)=V_(i)         are collected and U_(i)∉{u₁, . . . , u_(r) ₁ } is not an element         of the ciphertext; a vector

coef(v_(j)) = (a_(i₁), …  , a_(i_(d_(j))))

is thereby formed;

-   -   for any w_(i,j)∈[1,r_(T)], coef(w_(j))=b_(i) such as w_(j)=α_(i)         is collected;

For each pair (u_(l),v_(l)), (l,j)∈[1,r₁]×[1,r₁], coef(u_(l),v_(j))=a_(i) where (u_(l),v_(l))=(U_(i),V_(i)) is collected.

In each of these identification steps, the coefficient is set to 0 by default when a corresponding index i cannot be found.

We now focus on the values of {coef (u_(i)),coef (v_(j)),coef(w_(ε)),coef (u_(i),v_(j))}. The mathematical properties of the invention ensure that these values are functions known in advance involving elements x₁, . . . , x_(ε)∈

_(p) composing the compromised keys and fixed parameters s₁, . . . , s_(l)∈

_(p) composing the ciphertext c given at the beginning.

This forms a system of multivariate equations:

coef(u₁) = f₁(x₁, …  , x_(ɛ), s₁, …  , s_(l)) coef(u₂) = f₂(x₁, …  , x_(ɛ), s₁, …  , s_(l)) ⋮ coef(u_(r₁)) = f_(r₁)(x₁, …  , x_(ɛ), s₁, …  , s_(l)) coef(v₁) = g₁(x₁, …  , x_(ɛ), s₁, …  , s_(l)) coef(v₂) = g₂(x₁, …  , x_(ɛ), s₁, …  , s_(l)) ⋮ coef(v_(r₂)) = g_(r₂)(x₁, …  , x_(ɛ), s₁, …  , s_(l)) coef(w₁) = h₁(x₁, …  , x_(ɛ), s₁, …  , s_(l)) coef(w₂) = h₂(x₁ , …  , x_(ɛ), s₁, …  , s_(l)) ⋮ coef(w_(r_(T))) = h_(r_(T))(x₁, …  , x_(ɛ), s₁, …  , s_(l)) coef(u₁, v₁) = q_(1, 1)(x₁, …  , x_(ɛ), s₁, …  , s_(l)) ⋮ coef(u_(r₁), v_(r₂)) = q_(r₁, r₂)(x₁, …  , x_(ɛ), s₁, …  , s_(l))

Knowing the numerical values of these coefficients, the fixed parameters s_(j) and functions ƒ_(i), g_(j), h_(ε), q_(a,b)′ the system can be reversed to retrieve at least one of the elements x₁, . . . , x_(ε) composing one of the compromised keys and thus fully identify this key. This step may require having ε≦B(r₁,r₂,r_(T)) where B(r₁,r₂,r_(T)) is a terminal which depends on the embodiment of the invention. Functions ƒ_(i), g_(j), h_(k), q_(a,b) also depend on the embodiment of the invention.

As an example, if we are operating in the context of the second embodiment described above, any decryption program shows the vector x^((i)) of one (or more) user(s) i in a masked or unmasked form. The tracer has therefore access to x^((i)) which were distributed to one or more users, who are therefore identified as traitors.

The invention also provides that a processing entity can be revoked if, for example, it has been, identified as a traitor or for any other reason, and thus prevent said entity from generating a valid control word to allow, for example, the decoding of an encoded content.

The invention provides that two types of revocations can be implemented: a temporary or a permanent revocation.

A temporary revocation results in one or more treacherous entities being temporarily unable to generate more valid control words. A permanent revocation inhibits such generating.

To illustrate this variant, and as an example, we are going to describe the adaptations made to a secure method consistent with the invention and based, on the second embodiment.

Similar adaptations could be made as well to other methods consistent with the invention.

To implement a permanent revocation, the invention provides two additional steps to the methods described above. The first step is to generate revocation data D

that are transmitted to all of the processing entities. These data are used to define the exclusion of a set

of one or more treacherous entities. The second additional step is to update the decryption key DK_(i) of the entities which do not belong to

so they can continue to generate valid control words.

Let us consider that the treacherous entities are entities E1 to Er (or secure subscriber devices 1 ₁ to 1 _(r)). Let us number such entities from 1 to r. The first step to define the revocation data D

consists in calculating, according to this example, D

=(R₁, . . . , R_(r)) with

${R_{1} = h^{\frac{1}{\gamma + x_{j}^{(i)}}}},{R_{2} = h^{\frac{1}{{({\gamma + x_{j}^{(1)}})} \cdot {({\gamma + x_{j}^{(2)}})}}}},\ldots \mspace{14mu},{R_{r} = h^{\frac{1}{{({\gamma + x_{j}^{(1)}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + x_{j}^{(r)}})}}}},$

for a value of j∈[1,d_(x)], for example, j=1. The value of the generator h is then modified to take the value of

$\left. {R_{r}\text{:}\mspace{14mu} h}\leftarrow R_{r} \right. = {h^{\frac{1}{{({\gamma + x_{j}^{(1)}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + x_{j}^{(r)}})}}}.}$

Revocation data D

=(R₁, . . . , R_(r)) are then distributed to all entities.

The second, additional step consists now in changing the decryption keys DK_(i) of the entities which do not belong to

so that they can continue to generate valid control words. The key DK_(i,)

, corresponding to the i^(th) user or subscriber, that was generated from D

, is such that DK_(i,)

=(A_(i),B^((i,)

⁾). The vector B^((i,)

⁾=(B₁ ^((i,)

⁾,x₁ ^((i))), (B₂ ^((i,)

⁾,x₂ ^((i))), . . . , (B_(d) _(x) ^((i,)

⁾,x_(d) _(x) ^((i))) of the d_(x) elects is such that

$B_{j}^{({i,\Re})} = {\left( B_{j}^{(i)} \right)^{\frac{1}{\prod\limits_{j = 1}^{r}\; {({\gamma + x_{w}^{(l)}})}}} = \left( {B_{j}^{(i)} \cdot {\prod\limits_{m = 1}^{r}\; R_{m}^{{({- 1})}^{i + r} \cdot {\prod\limits_{n = 1}^{m - 1}\; {({x_{j}^{(i)} - x_{w}^{(n)}})}}}}} \right)^{\frac{1}{\prod\limits_{j = 1}^{r}\; {({\gamma - x_{w}^{(l)}})}}}}$

for a value of w∈[1,d_(x)], for example, w=1.

The calculation of the new value DK_(i,)

be implemented by each processing entity in accordance with the invention. This calculation can alternatively be carried out by a third entity. Any other procedure to update said key can also be used.

The invention provides as an alternative that revocation data can be transmitted, to processing entities in conjunction with encrypted control words. Thus, it is not necessary to transmit said data in a dedicated mode. These can, for example, be an integral part of the ciphertext such that c=(W₁,W₂,s,U,D

) according to the second embodiment of a method provided by the invention for transmitting a control word.

In addition, it may be provided that the modification of the decryption key DK_(i)←DK_(i,)

be performed by the processing entity just before the step to generate a control word.

We can see that to implement a permanent revocation, the step performed by the server to generate the key DK_(i), as well as the one performed by the entities to generate the plaintext of the control word k, are unchanged. The generator h, in turn, is no longer fixed to generate the ciphertext. Indeed, h depends on all the entities revoked. The decryption key is also no longer fixed when generating the plaintext k.

The invention further provides to adapt a method consistent with the invention, to implement a temporary revocation. As before, let us use the example of the second embodiment of a method according to the invention to illustrate this feature. Similarly, let us consider that the treacherous entities are entities E1 to Er (or the secure subscriber devices 1 ₁ à 1 _(r)) numbered from 1 to r.

A first additional step consists—just as for the permanent revocation—in calculating revocation data D

such that D

=(R₁, . . . , R_(r)) with

${R_{1} = h^{\frac{1}{\gamma + x_{j}^{(i)}}}},{R_{2} = h^{\frac{1}{{({\gamma + x_{j}^{(1)}})} \cdot {({\gamma + x_{j}^{(2)}})}}}},\ldots \mspace{14mu},{R_{r} = h^{\frac{1}{{({\gamma + x_{j}^{(1)}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + x_{j}^{(r)}})}}}}$

for a value of j∈[1,d_(x)], for example, j=1. The value of the generator h is then modified to take the value of

$\left. {R_{r}\text{:}\mspace{14mu} h}\leftarrow R_{r} \right. = {h^{\frac{1}{{({\gamma + x_{j}^{(1)}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + x_{j}^{(r)}})}}}.}$

The server produces the encrypted control word as a result of components such that c=(W₁,W₂,s,U,D

,x_(j) ⁽¹⁾, . . . , x_(j) ^((r))). The first four components W₁, W₂, s and U are typically generated (with the difference that h is modified in advance) such that h←R_(r)). U=(U₁, . . . , U_(d) _(s) ) is a vector of the d_(s) values such that

${U_{1} = h^{\frac{1}{\gamma + s_{1}}}},{U_{2} = h^{\frac{1}{{({\gamma + s_{1}})} \cdot {({\gamma + s_{2}})}}}},\ldots \mspace{14mu},{U_{d_{s}} = h^{\frac{1}{{({\gamma + s_{1}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + s_{d_{s}}})}}}},{W_{1} = \left( g^{\gamma} \right)^{m}},{W_{2} = {h^{\frac{m}{{({\gamma + s_{1}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + s_{d_{s}}})}}} = U_{d_{s}}^{m}}},$

m being an integer. The ciphertext also includes D

and x_(j) ⁽¹⁾, . . . , x_(j) ^((r)) for the chosen value of j.

Upon receiving an encrypted control word c, a processing entity Ei implements a step to generate the plaintext of said control word.

This step is adapted to calculate k such that

$\mspace{20mu} {k = {e\left( {g^{\gamma},{\prod\limits_{j = 1}^{d_{x}}\; \left( B_{j}^{({i,})} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({\gamma + s_{l}})}}}}} \right)}}{\cdot {e\left( {A_{i},W_{2}} \right)}}$ ${{where}\mspace{11mu} {\prod\limits_{j = 1}^{d_{x}}\; \left( B_{j}^{({i,\Re})} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({\gamma + s_{l}})}}}}} = {\prod\limits_{j = 1}^{d_{x}}\; {\left( {B_{j}^{(i)} \cdot {\prod\limits_{y = 1}^{r}\; U_{y}^{{({- 1})}^{i + r} \cdot {\prod\limits_{n = 1}^{y - 1}\; {({x_{j}^{(i)} - s_{n}})}}}}} \right)^{\frac{1}{\prod\limits_{l = 1}^{r}\; {({x_{j}^{(i)} - s_{l}})}}}.}}$

We can see that to implement a temporary revocation, the step to generate key DK_(i) remains unchanged. The generator h is no longer fixed because it depends on all the revoked entities. The step to generate a ciphertext is simply preceeded by the assignment of said generator before generating a ciphertext. The production of the plaintext of the control word k is adapted to implement the temporary revocation.

The invention has been described in connection with the field of conditional access to protected content as an example of preferred application. The invention could be applied to other fields where it is necessary to transmit to a plurality of processing entities a ciphertext whose plaintext is used, by such entities. 

1. A secure method for transmitting a control word between a server and a plurality of processing entities for respectively generating and using said control word, said method comprising: a step for generating by the server an encrypted control word c whose plaintext k is intended to be used by the processing entity; a step for transmitting the encrypted control word c generated to the processing entities; a step for receiving by said entities the encrypted control word c; a step for generating a control word k by each processing entity from the encrypted control word c received; wherein: the server generates the ciphertext of a control word from: i. a vector s of d_(s) elements each belonging to the set

_(p)* of non-zero integers modulo p, p being a prime number, d_(s) being an integer strictly greater than 1 and small compared to the number of processing entities; ii. a secret value γ known to the server and belonging to the set

_(p)* of non-zero integers modulo p; iii. two generators belonging respectively to two cyclic groups

₁ and

₂ of order p, parameters of a bilinear group β=(p,

₁,

₂,

_(T),e(•,•)) of order p where e(•,•) is a coupling such that e:

₁×

₂→

_(T),

_(T) being a third cyclic group of order p; each processing entity generates a control word k from: i. the encrypted control word c; ii. a decryption key DK_(i) known to the i^(th) entity and previously generated from: a) a vector x^((i)) of d_(x) elements each belonging to the set

_(p)* of non-zero integers modulo p, d_(x) being an integer strictly greater than 1 and small compared to the number of processing entities, the vector x^((i)) being dedicated to the entity concerned; b) the secret value γ; c) a generator belonging to one of the cyclic groups of the bilinear group β.
 2. A method according to claim 1 comprising beforehand: a step for developing a master secret key MK comprising the secret component γ associated with public parameters among the bilinear group β; a step for storing said key and the public parameters within the server; a step for storing said public parameters within each processing entity; a step for generating, transmitting and storing decryption keys DK_(i), respectively dedicated and distinct, within the processing entities.
 3. A method according to claim 1, wherein each decryption key DK_(i) generated comprises a component of the form $z^{\frac{1}{P{(\gamma)}}},$ z being a generator belonging to one of the cyclic groups of the bilinear group β, and P being a polynomial in γ.
 4. A method according to claim 2, wherein; said method comprises: i. a step for selecting g and h, two generators belonging respectively to cyclic groups

₁ and

₂; ii. a step for generating as public parameters—in addition to β and h—the components g^(γ), g^(γ) ² , . . . , g^(γ^(d_(s) − 1)), h^(γ), h^(γ) ² , . . . , h^(γ^(d_(x) − 1)); the secret key MK comprises γ and g; the step for generating a decryption key DK_(i) comprises generating said key as a result of two components such as DK_(i)=(x^((i)),A_(i)) where $A_{i} = g^{\frac{1}{P{(\gamma)}}}$ with P(γ)=(γ+x₁ ^((i)))·(γ+x₂ ^((i))) . . . (γ+x_(d) _(x) ^((i))); the step for generating the encrypted control word comprises generating said word as a result of two components such that $c = \left( {s,h^{\frac{1}{Q{(\gamma)}}}} \right)$ with Q(γ)=(γ+s₁)·(γ+s₂) . . . (γ+s_(d) _(s) ); the step for generating the control word k comprises calculating k such that $k = {{e\left( {g^{a},h^{\frac{1}{Q{(\gamma)}}}} \right)} \cdot {e\left( {A_{i},h^{\xi}} \right)} \cdot {e\left( {A_{i},h^{\frac{1}{Q{(\gamma)}}}} \right)}^{\theta}}$ ${{{where}\mspace{14mu} \theta} = \frac{1}{\sum\limits_{l = 1}^{d_{s}}\; \frac{\prod\limits_{j \neq l}^{d_{s}}\; s_{j}}{R_{l}\left( {- s_{l}} \right)}}},$ ${\alpha = {1 - {\frac{\sum\limits_{l = 1}^{d_{s}}\; \frac{Q_{l}(\gamma)}{R_{l}\left( {- s_{l}} \right)}}{\sum\limits_{l = 1}^{d_{s}}\; \frac{\prod\limits_{j \neq l}^{d_{s}}\; s_{j}}{R_{l}\left( {- s_{l}} \right)}}\mspace{20mu} {and}}}}\mspace{11mu}$ $\; {\xi = {{- \frac{\sum\limits_{l = 1}^{d_{x}}\; \frac{P_{l}(\gamma)}{R_{l + {ds}}\left( {- s_{l}} \right)}}{\sum\limits_{l = 1}^{d_{s}}\; \frac{\prod\limits_{j \neq l}^{d_{s}}\; s_{j}}{R_{l}\left( {- s_{l}} \right)}}}\mspace{14mu} {with}}}\mspace{11mu}$ $\; {{{Q_{l}(\gamma)} = {\prod\limits_{\underset{j \neq l}{j = 1}}^{d_{s}}\; \left( {s_{j} + \gamma} \right)}},{{{{{P_{l}(\gamma)} = {\prod\limits_{\underset{q \neq l}{q = 1}}^{d_{x}}\; \left( {x_{q}^{(i)} + \gamma} \right)}},{{R_{l}(\gamma)} = {\prod\limits_{\underset{j \neq l}{j = 1}}^{d_{s} + d_{x}}{\left( {s_{j} + \gamma} \right)\mspace{14mu} {and}}}}}\mspace{11mu} \; s_{d_{s} + m}} = {{x_{m}^{(i)}\mspace{14mu} {for}\mspace{14mu} m} = 1}},\ldots \mspace{14mu},{d_{x}.}}$
 5. A method according to claim 2, wherein: said method comprises a step for selecting g and h, two generators belonging respectively to the groups

₁ and

₂; the public parameters comprise β; the secret key MK comprises γ and g; the step for generating a decryption key DK_(i) comprises generating said key as a result of two components such that DK_(i)=(A_(i),B_((i))) where $\mspace{14mu} {A_{i} = g^{\sum\limits_{j = 1}^{d_{x}}\; \frac{x_{j}^{(i)}}{\gamma + x_{j}^{(i)}}}}$ and the vector B^((i)) of d_(x) elements such that $\begin{matrix} {{B^{(i)} = \left( {B_{1}^{(i)},x_{1}^{(i)}} \right)},\left( {B_{2}^{(i)},x_{2}^{(i)}} \right),\ldots \mspace{14mu},\left( {B_{d_{x}}^{(i)},x_{d_{x}}^{(i)}} \right)} \\ {{= {\left( {h^{\frac{1}{\gamma + x_{1}^{(i)}}},x_{1}^{(i)}} \right)\left( {h^{\frac{1}{\;^{\gamma + x_{2}^{(i)}}}},x_{2}^{(i)}} \right)}},\ldots \mspace{14mu},\left( {h^{\frac{1}{\;^{\gamma + x_{d_{x}}^{(i)}}}},x_{d_{x}}^{(i)}} \right)} \end{matrix}$ the step for generating the encrypted control word comprises generating said word as a result of 4 components, such that c=(W₁,W₂,s,U) with U vector of d_(s) values such that ${U_{1} = h^{\frac{1}{\;^{\gamma + s_{1}}}}},{U_{2} = h^{\frac{1}{{({\gamma + s_{1}})} \cdot {({\gamma + s_{2}})}}}},\ldots \mspace{14mu},{U_{d_{s}} = h^{\frac{1}{{({\gamma + s_{1}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + s_{d_{s}}})}}}},{W_{1} = \left( g^{\gamma} \right)^{m}},{W_{2} = {h^{\frac{m}{{({\gamma + s_{1}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + s_{d_{s}}})}}} = U_{d_{s}}^{m}}},$ m being an integer; the step for generating the control word k comprises calculating k such that $\mspace{79mu} {k = {{e\left( {g^{\gamma},{\prod\limits_{j = 1}^{d_{x}}\; \left( B_{j}^{(i)} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({\gamma + s_{l}})}}}}} \right)} \cdot {e\left( {A_{i},W_{2}} \right)}}}$      where ${\prod\limits_{j = 1}^{d_{x}}\; \left( B_{j}^{(i)} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({\gamma + s_{l}})}}}} = {\prod\limits_{j = 1}^{d_{x}}\; {\left( {B_{j}^{(i)} \cdot {\prod\limits_{y = 1}^{d_{s}}\; U_{y}^{{({- 1})}^{i + d_{s}} \cdot {\prod\limits_{n = 1}^{y - 1}\; {({x_{j}^{(l)} - s_{n}})}}}}} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({x_{j}^{(i)} - s_{l}})}}}.}}$
 6. A method according to claim 5, further comprising a step for generating revocation data D

such that D

=(R₁, . . . , R_(r)) with ${R_{1} = h^{\frac{1}{\gamma + x_{j}^{(1)}}}},{R_{2} = h^{\;^{\frac{1}{{({\gamma + x_{j}^{(1)}})} \cdot {({\gamma + x_{j}^{(2)}})}}}}},\ldots \mspace{14mu},{R_{r} = h^{\;^{\frac{1}{{({\gamma + x_{j}^{(1)}})}\mspace{14mu} \ldots \mspace{14mu} {({\gamma + x_{j}^{(r)}})}}}}}$ and the generator h takes the value R_(r) prior to the implementation of the step for generating the encrypted control word.
 7. A method according to claim 6, further comprising a step to change the value of the decryption key prior to the implementation of the step for generating the plaintext of a control word, said key taking a value DK_(i,)

=(A_(i),B_((i,)

₎) with $\begin{matrix} {B_{j}^{({i,\Re})} = \left( B_{j}^{(i)} \right)^{\frac{1}{\prod\limits_{j = 1}^{r}\; {({\gamma + x_{w}^{(l)}})}}}} \\ {= \left( {B_{j}^{(i)} \cdot {\prod\limits_{m = 1}^{r}\; R_{m}^{{({- 1})}^{i + r} \cdot {\prod\limits_{n = 1}^{m - 1}\; {({x_{j}^{(i)} - x_{w}^{(n)}})}}}}} \right)^{\frac{1}{\prod\limits_{j = 1}^{r}\; {({\gamma - x_{w}^{(l)}})}}}} \end{matrix}$ for a given value of w∈[1,d_(x)].
 8. A method according to claim 6, wherein the ciphertext further comprises D

and x_(j) ⁽¹⁾, . . . , x_(j) ^((r)) a selected value of j∈[1,d_(x)] and the step for generating k is adapted to generate the plaintext of a control word such that $\mspace{20mu} {k = {{e\left( {g^{\gamma},{\prod\limits_{j = 1}^{d_{x}}\; \left( B_{j}^{({i,\Re})} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({\gamma + s_{l}})}}}}} \right)} \cdot {e\left( {A_{i},W_{2}} \right)}}}$   where ${\prod\limits_{j = 1}^{d_{x}}\; \left( B_{j}^{({i,\Re})} \right)^{\frac{1}{\prod\limits_{l = 1}^{d_{s}}\; {({\gamma + s_{l}})}}}} = {\prod\limits_{j = 1}^{d_{x}}\; {{\left( {B_{j}^{(i)} \cdot {\prod\limits_{y = 1}^{r}\; U_{y}^{{({- 1})}^{i + r} \cdot {\prod\limits_{n = 1}^{y - 1}\; {({x_{j}^{(i)} - s_{n}})}}}}} \right)^{\;}}^{\frac{1}{\prod\limits_{l = 1}^{r}\; {({x_{j}^{(i)} - s_{l}})}}}.}}$
 9. A method for conditional access to digital content comprising: a step for encoding a digital content M and generating an encoded content C using an encoding function implemented by a broadcast server of protected digital content; a step for generating by said broadcast server of protected digital contents an encrypted control word c whose plaintext k is intended for use by a plurality of subscriber processing entities for decoding said encoded content C; a step for transmitting through a distribution network and for subscriber processing entities, said encoded content C and encrypted control word c; a step for receiving by each subscriber processing entity said encoded content C and encrypted control word c; a step for generating the plaintext of a control word k by each subscriber processing entity from the ciphertext c; a step for decoding by each subscriber processing entity the encoded content C and generating a content M from a decoding function and k; a step for retrieving said content M using an interface adapted to said content; wherein: the steps for generating and transmitting an encrypted control word by the broadcast server of protected digital contents as well as the steps for receiving and generating the plaintext of a control word by the subscriber processing entities comply with the secure method for transmitting a control word between a server and a plurality of processing entities according to claim
 1. 10. The method according to claim 9, each processing entity comprising a terminal in association with a secure subscriber device implementing respectively the decoding of an encoded content and the generating of the plaintext of an encrypted control word, wherein: the step for receiving an encoded content C and an encrypted control word c by a processing entity comprises: i. receiving the encoded content and encrypted control word by the terminal; ii. transmitting the encrypted control word c by the terminal to the secure subscriber device cooperating with said terminal; the step for generating the plaintext of a control word k in a processing entity comprises generating the plaintext by the secure subscriber device which delivers it to the terminal; the step for decoding an encoded content C comprises implementing by the terminal the decoding function for generating a content M from the encoded content C and from said control word k.
 11. A server of a conditional access system in connection with a plurality of subscriber processing entities, comprising: means for storing a secret value γ belonging to the set

_(p)* of non-zero integers modulo p, p being a prime number, a bilinear group β=(p,

₁,

₂,

_(T),e(•,•)) of order p where e(•,•) is a coupling such that e:

₁×

₂→

_(T),

₁,

₂ and

_(T) being cyclic groups of order p and a vector s of d_(s) elements, each belonging to the set

_(p)*, d_(s) being an integer strictly greater than 1 and small compared to the number of processing entities; processing means for generating: i. a ciphertext c of a control word from the vector s, of the secret value γ and of two generators respectively belonging to cyclic groups

₁ and

₂; ii. an encoded content C from a content M; means to deliver said encoded content C and encrypted control word c to the outside world.
 12. A processing entity of a conditional access system having a plurality of such entities, said entities being connected to a server according to claim 11, said entity comprising: means for storing public parameters comprising a bilinear group β=(p,

₁,

₂,

_(T),e(•,•)) of first order p where e(•,•) is a coupling such that e:

₁×

₂→

_(T),

₁,

₂,

_(T) being cyclic groups of order p, said bilinear group being known to the server so that it generates and transmits to the processing entities an encrypted control word c; means for storing a dedicated decryption key DK_(i) previously generated from: i. a vector x^((i)) of d_(x) values, each belonging to the set

_(p)* of non-zero integers modulo p, d_(x) being an integer strictly greater than 1 and small compared to the number of processing entities, the vector x^((i)) being dedicated to the entity concerned; ii. a secret value γ known to the server; iii. a generator belonging to one of the cyclic groups of the bilinear group β; means for receiving data from the outside world as encoded content C and encrypted control word c; processing means adapted to generate a control word from said data and the decryption key; processing means for generating a content M from said data and the control word k; means for providing said content to a suitable man-machine interface for retrieving said content M.
 13. A processing entity according to claim 12, comprising an electronic terminal cooperating with a secure subscriber device for, respectively, decoding the encoded content C and generating then delivering to said terminal, the plaintext of control word k for said decoding.
 14. The terminal for a processing entity according to claim 13, comprising: means for receiving data from the outside world; means for cooperating with the secure subscriber device (1 a, 1 b, 1 m, 1 i) to transmit to the latter the encrypted control word c and to receive in return the control word k; the processing means for generating the content M; the means to deliver said content to a man-machine interface adapted to restore said content.
 15. An electronic subscriber device for processing entity adapted to cooperate with a terminal according to claim 14, said device comprising: receiving means for receiving the encrypted control word from the terminal; storage means for storing the public parameters; storage means for storing a dedicated decryption key DK_(i); processing means for generating the control word k from said ciphertext c and key DK_(i); means for delivering said control word to said terminal.
 16. A conditional access system to a digital content, comprising a server according to claim 11 in association with a plurality of subscriber processing entities wherein each of the plurality of processing entities comprises: means for storing public parameters comprising a bilinear group β=(p,

₁,

₂,

_(T),e(•,•)) of first order p where e(•,•) is a coupling such that e:

₁×

₂→

_(T),

₁,

₂,

_(T) being cyclic groups of order p, said bilinear group being known to the server so that it generates and transmits to the processing entities an encrypted control word c; means for storing a dedicated decryption key DK_(i) previously generated from: i. a vector x^((i)) of d_(x) values, each belonging to the set

_(p)* of non-zero integers modulo p, d_(x) being an integer strictly greater than 1 and small compared to the number of processing entities, the vector x^((i)) being dedicated to the entity concerned; ii. a secret value γ known to the server: iii. a generator belonging to one of the cyclic groups of the bilinear group β; means for receiving data from the outside world as encoded content C and encrypted control word c; processing means adapted to generate a control word from said data and the decryption key; processing means for generating a content M from said data and the control word k; means for providing said content to a suitable man-machine interface for retrieving said content M. 